Tag: website security

If you have received this “Google docs” phishing email in your inbox – DO NOT CLICK ON ANY LINK.

This is another phishing attempt.

Google Docs is a great online resource allowing you to create, store and share documents, spreadsheets and other useful things. The problem is that if you click on the link in the email it goes to what you might think is a selling website.

Where does it take you?

As you can see – nothing to do with the “sender” – it may not even be a pathetic attempt to show you some fitness equipment. No, I think its a nasty document with embedded programming that can harm your pc.

Here is what to look for:

They also used a standard sales@ attempt to get through filters, and frankly it worked. But you would expect most businesses to have a sales@ email address.

I noticed a press release by the ICO today that is worth passing on to website owners. Particularly WordPress website owners.

It highlights the need for adequate security and good technical website development when storing clients information as not just “good practice” but as something that can become financially painful if you get it wrong.

“An online building products supplier has been fined £55,000 by the Information Commissioner’s Office (ICO) after the firm failed to protect its customers’ personal information.

On 6 May 2014 an attacker used a common hacking technique called an SQL injection to access 669 unencrypted cardholder details including names, addresses, account numbers and security codes.

An investigation by the ICO discovered the Plymouth-based firm did not have the appropriate technical measures in place to prevent the attack. This is a breach of the Data Protection Act.”

If you store customers data you become a “data controller” and as such you have legal responsibilities to ensure it is held securely from any sort of loss or attack.

In this case two of their domains were hacked by an “SQL injection”, which is a brute force attack and as such should be expected by any website hosting provider, website development company and potentially a website owner.

I believe that once the hacker had access they then changed the website so that any customer details then entered would be recorded and stored by the hackers.

The important technical details:

The login pages contained a coding error from 2009 until 2015 when the attack occurred.

An attacker exploited this vulnerability in two domains by using SQL injection to gain access to usernames and password hashes for the WordPress section of the site. (read more on WordPress below)

The attacker was able to modify payment pages and access 669 unencrypted cardholderdetails at the point of entry to the website (including name, address, primary account number and security code)

The ICO decided that;

The website owner failed to carry out regular penetration testing on its website that should have detected the error.

The website owner failed to ensure that the passwords for the WordPress account were sufficiently complex to be resistant to a brute-force attack on the stored hash values.

SQL injection is a well-understood vulnerability and known defences exist.

WordPress problem

Because WordPress is open source it is very popular and easy to install and create – which of course is a good thing, it has become the worlds most popular Open Source website software. The blog you are reading is using WordPress for example. However because it is so easy and free to use it is sometimes used by developers who are not sufficiently technical to build them correctly. It seems this was the case in the unfortunate incident above.

WordPress has a base core code, a styling theme which you overlay on top and then you add modular extensions (plugin’s) to it to enable functionality; move images, add forms, edit pages etc. A lot of these plug-in’s are written by keen non-commercial entities or individuals. They can write them – so they do. Sometimes the quality of code or security considerations are overlooked and they rely on website owners to find the errors and sort it out. Clearly you can’t run a business that way very successfully – at least not for long. (We often have to fix WordPress plugins that don’t work).

The website developers in this case seem to be the website owners themselves who also set themselves up as a website design company. (some diversification!) At time of writing if you are an original website customer of theirs and have an issue you now need use a “FREE, lightweight, reliable, open source, and easy to setup and use” ticketing system to report errors to another agency as they have gone into liquidation.

What can we learn from this?

You get what you pay for.

If you didn’t spend very much on your website it is worth checking if it has been built correctly.

The software that creates websites is very complex. Hackers regularly try to find ways to gain access to websites through databases (most CMS systems run on databases) or via bad coding.

Website developers need to ensure that any website they create is tested for vulnerabilities in the code. The developers should always use the latest version of website content management systems and have update protocols in place to patch any vulnerabilities that may come to light in the future. They also need to implement regular updates to the core coding. It seemed that the error in the above example had been there for about 6 years.

Clients need to understand that they should expect to pay for skilled and experienced web developers to ensure that their websites are technically sound and are up to date. Especially at the initial build stage, but also at regular intervals over the life of the website.

So, do you get what you pay for?

We think so.

Ask your website developers what their plans are for updates and security patches for your website.

Your pc is at risk of infection if you click on a link or open an attachment in these emails

Phishing emails on the rise again – don’t get caught!

I came across 3 new spam/phishing emails and one Trojan Horse email this week alone. I thought you need to know about them and consider yourself warned NOT to open any link or attachment.

Phishing Email 1

Apparently I’ve bought a phone from Amazon.com and this is the shipping confirmation.

I haven’t bought anything from Amazon in the States (dot com domain name) and I already have an iPhone.

What is more dangerous about this email is that it is not telling you to click the link, it just sits there expecting you to want to find out more. The link goes nowhere near Amazon and you will end up giving some criminal your Amazon login details.

Phishing Email 2

Another nasty email using the Amazon brand name is this one purportedly offering an Amazon reward card etc.

They don’t even pretend that they are Amazon and even let you know that you need to give the more details before you may get a gift card. I doubt any exist.

Phishing Email 3

Dropbox is an excellent tool for storing documents and allowing others to access them from anywhere, including you.

The link wanting me to open this file apparently shared to me from an Educational email address goes nowhere near Dropbox. Do not click this link!

Malware/Trojan Horse Email

This is another that bothered me. Apparently Companies House has had a complaint about our business. Companies House do not receive complaints about companies. They have confirmed this.

The problem is the Word attachment. Unfortunately Microsoft word can contain programming called MACROS which can install malware on your computer. Do not open the attachment if you get this.

Some definitions to help you

malware

noun
Software which is specifically designed to disrupt, damage, or gain authorised access to a computer system.

Trojan Horse

noun
A program designed to breach the security of a computer system while ostensibly performing some innocuous function.

phishing

noun
The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Previous Posts

Sites

Our Blog has three main threads; Business use of the web. Technical information of interest to developers and finally some interesting facts and information. Subscribe to your favourite and keep up to date.

Did you know? In 1999, there were just 23 blogs. Today, there are over 1.5 billion blogs on the internet. Every half a second, a new blog is created